b"   DEPARTMENT OF HOMELAND SECURITY\n\n            Office of Inspector General\n\n\n             Improved Security Required for DHS\n                         Networks\n                        (Redacted)\n\n\n\n\n  Notice: The Department of Homeland Security, Office of Inspector General, has redacted this\n  report for public release. The redactions are identified as (b)(2), comparable to 5 U.S.C. \xc2\xa7\n  552(b)(2). A review under the Freedom of Information Act will be conducted upon request.\n\n\n\n                    Office of Information Technology\n\nOIG-06-05                                                           November 12005\n\x0c                                                                        Office of Inspector General\n\n                                                                        U.S. Department of Homeland Security\n                                                                        Washington, DC 20528\n\n\n\n\n                                              Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports prepared by our office as\npart of our DHS oversight responsibility to promote economy, effectiveness, and efficiency within\nthe department.\n\nThis report assesses the strengths and weaknesses of controls over network security at DHS. It is\nbased on interviews with DHS officials, direct observations, technical scans, and a review of\napplicable documents.\n\nThe recommendation herein has been developed to the best knowledge available to our office, and\nhas been discussed in draft with those responsible for implementation. It is our hope that this report\nwill result in more effective, efficient, and economical operations. We express our appreciation to\nall of those who contributed to the preparation of this report.\n\n\n\n\n                                              Richard L. Skinner\n                                              Inspector General\n\x0cTable of Contents/Abbreviations\n\n  Executive Summary ...................................................................................................................1\n\n  Background ................................................................................................ 2\n\n  Results of Audit........................................................................................... 4\n\n       DHS Needs to Implement A Network Security Testing Program .......................................4\n       Conclusion and Recommendation .......................................................................................8\n       Management Comments and OIG Analysis ........................................................................9\n\n\nAppendices\n  Appendix A:           Purpose, Scope, and Methodology .................................................................10\n  Appendix B:           Management Response To Draft Report ........................................................11\n  Appendix C:           Vulnerabilities Detected by Component .......................................................13\n  Appendix D:           NIST\xe2\x80\x99s Recommended Testing Schedule ......................................................14\n  Appendix E:           Major Contributors to this Report ..................................................................15\n  Appendix F:           Report Distribution.........................................................................................16\n\nAbbreviations\n  CBP             U.S. Customs and Border Protection\n  CIO             Chief Information Officer\n  DHS             Department of Homeland Security\n  IDS             Intrusion Detection System\n  LAN             Local Area Network\n  NIST            National Institute of Standards and Technology\n  NOC             Network Operations Center\n  SOC             Security Operations Center\n  TSA             Transportation Security Administration\n  VAT             Vulnerability Assessment Team\n\n\n\n\n                                         Improved Security Required for DHS Networks\n\x0cOIG\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n\n                We audited the Department of Homeland Security (DHS) and its\n                organizational components\xe2\x80\x99 security program to determine the\n                effectiveness of controls implemented on selected wired-based sensitive\n                but unclassified networks. This audit included a review of applicable\n                DHS and component security policies, procedures, and other appropriate\n                documentation. In addition, we performed vulnerability assessments to\n                evaluate the effectiveness of controls implemented on selected\n                organizational components\xe2\x80\x99 network devices.\n\n                Our objective was to determine whether DHS and its organizational\n                components have implemented adequate controls to protect its networks.\n                We interviewed DHS personnel, reviewed policies and procedures, and\n                conducted vulnerability assessments for select network devices at four\n                DHS organizational components: U.S. Customs and Border Protection\n                (CBP), United States Coast Guard (Coast Guard), Transportation Security\n                Administration (TSA), and, United States Secret Service (Secret Service).\n                Our results were summarized in separate audit reports with findings and\n                recommendations issued to each component.\n\n                The four components reviewed are taking actions to secure their networks.\n                Some vulnerability assessments are being performed on all or parts of the\n                components\xe2\x80\x99 network devices (for example servers and workstations).\n                CBP and the Secret Service have each performed a penetration test on\n                their networks in previous years. TSA and the Secret Service are\n                migrating to a more secure operating environment which has less\n                vulnerabilities. Three of the components - CBP, TSA, and Secret Service\n                - have implemented a centralized patch management process, which helps\n                to ensure that all devices across the network are properly patched.\n\n                While progress has been made and efforts by the organizational\n                components continue to improve security, specific areas need attention.\n                The DHS Chief Information Officer (CIO) has not developed a\n                department-wide testing program to ensure that the necessary controls\n                over all of its networks are adequate and effective. In addition, the\n                components have not completely implemented DHS policies and\n                procedures or processes that address security testing, monitoring network\n\n                       Improved Security Required for DHS Networks\n\n                                         Page 1\n\x0c             activities with audit trails, configuration and patch management, and\n             contingency planning.\n\n             Security controls must be improved in order for DHS to provide adequate\n             and effective security over its networks. Our vulnerability assessments at\n             the components identified security concerns resulting from inadequate\n             password controls, missing critical patches, vulnerable network devices,\n             and weaknesses in configuration management. These security concerns\n             provide increased potential for unauthorized access to DHS resources and\n             data.\n\n             We made a recommendation to assist DHS more effectively secure its\n             networks. Both effective network management and security controls are\n             needed in order to protect the confidentiality, integrity, and availability of\n             sensitive information stored and processed on DHS information systems.\n\n             In response to our draft report, DHS agreed and has already taken steps to\n             implement the recommendation. DHS\xe2\x80\x99 response is summarized and\n             evaluated in the body of this report and included, in its entirety, as\n             Appendix B.\n\nBackground\n             There are many advantages associated with using computer networks to\n             share information, not the least of which for government agencies is to\n             dramatically boost productivity, efficiency, and competitiveness.\n             However, the open nature of networks makes it important that government\n             agencies secure their networks and protect them from vulnerabilities. As a\n             result, network security is no longer something that resides primarily at the\n             perimeter of a network: it must be evaluated from all points of entry into\n             the network such as desktop and laptop computers, remote access,\n             connections to third-party networks, and wireless access points. Effective\n             network security is needed to protect the confidentiality, integrity, and\n             availability of sensitive information. The primary reason to develop\n             controls and test the security of an operational network is to identify and\n             remedy potential vulnerabilities.\n\n             Networks are a series of interconnected devices which allow individual\n             users and organizations to share information. A network which comprises\n             a relatively small geographical area is known as a local area network\n             (LAN). A network which connects various LANs dispersed over a wide\n             geographical area is called a wide area network. Network devices include\n             servers, workstations, and printers (used to create, process, maintain, and\n\n                    Improved Security Required for DHS Networks\n\n                                      Page 2\n\x0c                           view information); routers 1 and switches 2 (used to communicate\n                           information); firewalls 3 and encryption devices 4 (used to protect\n                           information being transported); and intrusion detection systems (IDS) 5\n                           (used to monitor and analyze network events). Figure 1 is an illustration\n                           of a typical network.\n\n\n\n\n                           Since sensitive data is stored on and transmitted along wide area networks,\n                           effectively securing networks is essential to protect sensitive data from\n                           unauthorized access, manipulation, or misuse. Improperly configured\n                           network services expose a network to internal or external threats, such as\n                           hackers, cyber-terrorist groups, as well as denial of service attacks.\n                           Further, as networks provide the entry point for access to electronic\n                           information assets, failure to secure them increases the risk of\n                           unauthorized use of sensitive data.\n\n\n\n1\n  Routers are devices which join multiple networks. Configuration information maintained in the \xe2\x80\x9crouting table\xe2\x80\x9d\nallows routers to filter traffic, either incoming or outgoing, based on the Internet Protocol addresses of senders and\nreceivers.\n2\n  Switches are devices which join multiple networks at a low-level network protocol layer. Switches inspect data\npackets as they are received, determine the source and destination device of that packet, and forward that packet\nappropriately.\n3\n  Firewalls protect a network from unauthorized access. Firewalls may be hardware devices, software programs, or\na combination of the two. A firewall typically guards an internal network against unauthorized access from the\noutside; however; firewalls may also be configured to limit access to outside by internal users.\n4\n  Encryption devices perform the task of converting plain text into an unreadable form and vice versa, in order to\ncreate secure communications.\n5\n  IDS is a security countermeasure that monitors the network for signs of intruders.\n\n                                    Improved Security Required for DHS Networks\n\n                                                        Page 3\n\x0c               DHS Sensitive Systems Policy Publication 4300A (DHS Policy) provides\n               direction to DHS\xe2\x80\x99 components regarding the management and protection\n               of sensitive systems. In addition, the policy outlines management,\n               operational, and technical controls necessary to ensure confidentiality,\n               integrity, availability, and authenticity within the DHS information\n               technology infrastructure and operations. Additionally, the department\n               developed the DHS Sensitive Systems Handbook (DHS Handbook) to\n               provide components with specific procedures and techniques for\n               implementing the requirements of the policy.\n\n               This audit was conducted from December 2004 through March 2005 at\n               four DHS components: CBP, TSA, the Coast Guard, and the Secret\n               Service. See Appendix A for our purpose, scope, and methodology.\n\nResults of Audit\n\n  DHS Needs to Implement A Network Security Testing Program\n               DHS requires a comprehensive department-wide testing program to\n               evaluate and ensure the effectiveness of security measures and controls\n               implemented on its networks. A testing program should be established to\n               ensure that vulnerability assessments are an on-going, effective process\n               that provides assessment coverage for the entire DHS network.\n\n               DHS issued policy and procedures to implement a department-wide\n               vulnerability assessment program as part of the DHS Handbook in July\n               2004 (Attachment O \xe2\x80\x93 Vulnerability Assessment Program). Further, DHS\n               would establish a Vulnerability Assessment Team (VAT) to provide\n               vulnerability assessment services to the department\xe2\x80\x99s organizational\n               components. As described in the DHS Handbook, the program\xe2\x80\x99s goal was\n               to provide 100% vulnerability assessment coverage for all DHS systems\n               (including networks) annually. Vulnerability assessments would be a\n               four-phase process: reconnaissance, scanning, penetration testing, and\n               reporting. The program would rely on DHS components to conduct their\n               own assessments and report results to the DHS VAT. Where the\n               capability to perform vulnerability assessments did not exist, the DHS\n               VAT would perform these assessments for the components. The DHS\n               VAT would conduct an ongoing, external assessment program for all\n               peripheral connections to DHS networks. Annually, the DHS VAT would\n               provide at least one independent vulnerability assessment at each DHS\n               component. In addition, as part of the assessment program, periodic\n               penetration testing would be required. The DHS Computer Security\n\n\n                     Improved Security Required for DHS Networks\n\n                                       Page 4\n\x0cIncident Response Center (CSIRC) would conduct operational oversight\nfor the DHS VAT under the guidance of the DHS CISO.\n\nHowever, as of August 2005, the department\xe2\x80\x99s Vulnerability Assessment\nProgram, as established in the Attachment, has not been implemented.\nFurthermore, the DHS VAT has only performed a limited number of\nvulnerability assessments.\n\nTo determine whether DHS and its organizational components have\nimplemented adequate controls to protect its networks, we performed\ntesting at four of the department\xe2\x80\x99s organizational components (CBP, Coast\nGuard, Secret Service, and TSA). The four components covered in this\nreview had not implemented all of the controls needed to ensure that their\nnetworks are secure. For example, the components have not implemented\nthe necessary policies and procedures to ensure the security of their\nnetworks. In addition, we identified vulnerabilities on network devices at\nall components tested. The vulnerabilities identified support the fact that\nDHS should implement a department-wide program to either ensure\ncompliance with established policies and procedures or to independently\nidentify security exposures that jeopardize the security of its networks.\nWhile each of the component networks reviewed had varying degrees of\nnetwork security appropriately established, the following were areas\ncommon to each which presented security issues requiring attention.\n\nComprehensive Network Security Assessments Are Required\n\nThe components have not developed policies or procedures to establish\nand implement their own comprehensive network-testing program. Each\nof the four components has implemented procedures to perform some\nmeasure of vulnerability assessments on all or parts of their networks.\nHowever, the component\xe2\x80\x99s programs are deficient in the following areas:\n       Coast Guard and TSA have not performed other forms of security\n       testing, such as penetration testing, and password analysis.\n       Penetration testing was performed at CBP in 2004 and at the\n       Secret Service in 2003; however, both components have yet to\n       decide whether to perform penetration testing in 2005.\n       CBP is the only component reviewed that performed periodic\n       password analysis.\n\nThe Federal Information Security Management Act of 2002 requires that\nfederal agencies perform periodic testing to evaluate the effectiveness of\nsecurity controls. Also, the National Institute of Standards and\n\n       Improved Security Required for DHS Networks\n\n                         Page 5\n\x0c                            Technology (NIST) Special Publication 800-42 (Guideline for Network\n                            Security Testing) recommends organizations establish a testing program\n                            and conduct routine security testing to verify that systems have been\n                            configured correctly with the appropriate security resources and in\n                            agreement with established policies. See Appendix D for NIST\xe2\x80\x99s\n                            recommended routine testing schedule.\n\n                            Established Security Policies and Procedures Require Implementation\n\n                            DHS security policies and procedures, as described in the DHS Policy and\n                            Handbook, have yet to be implemented by the organizational components.\n                            The major elements not yet addressed are audit trail review and\n                            maintenance, minimum password length and complexity, and contingency\n                            planning.\n\n                            None of the components reviewed have implemented an adequate\n                            procedure for recording, reviewing, and maintaining audit trail\n                            information for their networks and network devices. Audit trails can track\n                            the identity of each user attempting to access the network device, the time\n                            and date of access, and time of log off. In addition, audit trails can capture\n                            all activities performed during a session and can specifically identify those\n                            activities that have the potential to modify, bypass, or negate the system\xe2\x80\x99s\n                            security safeguards.\n\n                            DHS has developed a set of guidelines in its DHS Handbook to implement\n                            passwords that restrict access to authorized users only. However, the\n                            password policies at three of four components (CBP, Coast Guard, and\n                            TSA) did not comply with DHS\xe2\x80\x99 requirements for strong passwords.\n                            There were also instances of components allowing the use of shared user\n                            accounts and passwords.\n\n                            Contingency plans for the networks at three of the four components (Coast\n                            Guard, Secret Service, and TSA) have either not been developed or tested.\n                            DHS policy and the Office of Management and Budget require that\n                            contingency plans be developed and the plans tested periodically. In\n                            addition, the DHS Handbook specifically requires the testing of\n                            contingency plans at a minimum annually.\n\n                            Network Devices Require Strengthened Security Configurations\n\n                            We performed vulnerability assessments on a sample of network devices\n                            and identified vulnerabilities at all four components reviewed. 6 We noted\n\n6\n    See Appendix C for the number of high and medium risk vulnerabilities identified by component.\n\n                                    Improved Security Required for DHS Networks\n\n                                                       Page 6\n\x0c                          that the Secret Service and TSA are in the process of migrating to a more\n                          secure operating environment --- ----- ------------------------------ and found\n                          fewer vulnerabilities on devices at these components.\n\n                          Those areas where security improvements are most needed include\n                          configuration management 7, router configurations, patch management 8,\n                          and user account and password management. Without procedures in place\n                          to ensure that all material vulnerabilities are identified and reviewed,\n                          management cannot ensure that its networks - and the data that resides on\n                          them - are secure.\n\n                          In addition, at all four components, many of the --------------------------\n                          --- ------------------------------------------ -------------------------------------------\n                          --------- ------------------- - ------------ ----------------------------------------\n                          ---------------- --------- --------------- - -------------- ---------------------------\n                          --------------------------------------------------- --------------------------------\n                          ------------------------------------------\n\n                          We identified vulnerabilities related to configuration management at all\n                          four components reviewed. Improperly configured devices could make a\n                          network vulnerable to internal or external threats, such as denial of service\n                          attacks. Since networks provide the entry point for access to data, failure\n                          to secure them increases the risk of unauthorized access and use of\n                          sensitive data.\n\n                          We noted vulnerabilities due to missing security patches at all four\n                          components even though three of the four components (CBP, TSA, and\n                          Secret Service) had established a centralized patch management process.\n                          Without an effective documented patch management process, DHS cannot\n                          ensure that all security vulnerabilities have been mitigated before\n                          malicious users exploit these vulnerabilities.\n\n                          Our vulnerability scans disclosed weak user account and password\n                          administration, ----------------------- ----------------------- -- -- - ---------------\n                          ---------------------------------- , at three of the four components (CBP, Coast\n                          Guard, and Secret Service). These weaknesses are an indication that user\n                          accounts and passwords may not be effective to control access to DHS\n                          sensitive data.\n\n\n\n7\n  Configuration management is the control and documentation of the initial settings and changes made to a system\xe2\x80\x99s\nhardware and software.\n8\n  Patch management, which is a component of configuration management, is a critical process used to mitigate\nsecurity vulnerabilities that have been identified.\n\n                                  Improved Security Required for DHS Networks\n\n                                                      Page 7\n\x0c             Vulnerabilities in router configurations exist at all four components\n             reviewed. Properly configured routers permit only authorized network\n             service requests and deny unauthorized ones. There is little assurance that\n             components can prevent unauthorized users from connecting to its\n             networks since all routers are not securely configured. In addition,\n             components are unable to ensure that only legitimate users access their\n             network resources.\n\nConclusion\n             Security vulnerabilities may continue to exist if DHS does not implement\n             a comprehensive testing program to identify those exposures that place\n             information systems at risk. The organizational components and the DHS\n             CIO share the responsibility for securing all DHS networks. While the\n             DHS CIO is responsible for the oversight and management of the DHS\n             security program, the components, using DHS IT security policies and\n             procedures, are required to develop their own IT security program. The\n             components\xe2\x80\x99 security program should include those policies and\n             procedures, including network testing, necessary to effectively secure their\n             information systems. Since DHS\xe2\x80\x99 policy and procedures for establishing a\n             network security testing program have not been implemented; without\n             specific DHS policy, the components lack sufficient guidance to\n             implement a comprehensive security testing program.\n\n             Without performing routine security testing, DHS cannot ensure that the\n             security controls implemented by the components are working as intended\n             or that the sensitive data processed and stored on its networks is protected\n             from unauthorized access and potential misuse. Security testing also\n             reduces the likelihood of systems being compromised by identifying\n             counter measures for the vulnerabilities discovered.\n\n             Recommendation\n\n             We recommend that the DHS CIO:\n\n                     Implement fully its Vulnerability Assessment Program, or another\n                     process, to ensure that all DHS networks are periodically assessed\n                     for vulnerabilities, which would include vulnerability assessments\n                     and penetration testing.\n\n\n\n\n                    Improved Security Required for DHS Networks\n\n                                      Page 8\n\x0cManagement Comments and OIG Analysis\n\nDHS agreed with our recommendation. DHS has established an\ninfrastructure enterprise security program, within the Office of\nInfrastructure Operations, that is responsible for implementing operational\nsecurity management for all DHS\xe2\x80\x99 computer and network resources. In\naddition, DHS plans to consolidate all legacy networks into a single DHS\ncore network. This consolidation includes the creation of a DHS Network\nOperations Center/Security Operations Center (NOC/SOC) to conduct\nperiodic vulnerability assessments and penetration testing. Furthermore,\nbeginning in FY 2006, components will be required to establish\ncomponent level NOC/SOCs that comply with DHS policy. All\ncomponent NOC/SOCs will have complementary vulnerability\nmanagement and assessment capabilities and will be required to report to\nthe DHS NOC/SOC for department-wide analysis and assessments.\n\nWe agree that the steps that DHS has taken, and plans to take, satisfy this\nrecommendation.\n\n\n\n\n       Improved Security Required for DHS Networks\n\n                         Page 9\n\x0c              Appendix A\n              Purpose, Scope, and Methodology\n\n\n\n\nPurpose, Scope, and Methodology\n              The objective of this audit was to determine whether DHS and its\n              components had implemented adequate controls for protecting its\n              networks. Specifically, we determined whether: (1) DHS and its\n              components had developed adequate policies and procedures for standard\n              configurations, patch and vulnerability management processes, reviewing\n              audit trails, performing periodic network testing, identification and\n              authentication mechanisms, and deploying anti-virus software; (2) the\n              network administration processes were adequate; (3) adequate security\n              controls were implemented on firewalls, IDS, encryption devices, routers,\n              switches, servers, network printers, and workstations; and, (4) adequate\n              physical security controls had been established to restrict access to\n              network resources.\n\n              To accomplish our audit, we conducted fieldwork at the following\n              components:\n                     Transportation Security Administration\n                     U.S. Customs and Border Protection\n                     United States Coast Guard\n                     United States Secret Service\n\n              We interviewed personnel at the Office of the Chief Information Officer\n              and the components. In addition, we reviewed and evaluated DHS and\n              component security policies, procedures, and other appropriate\n              documentation. During the audit, we used two software tools (Internet\n              Security Systems\xe2\x80\x99 Internet Scanner and Kane Security Analyst) to detect\n              and analyze vulnerabilities on servers, workstations, switches, and\n              network printers and another tool (Cisco Security Analyzer) to analyze\n              vulnerabilities on routers. Upon completion of the assessments, we\n              provided the components the technical reports detailing the specific\n              vulnerabilities detected on their network devices and the actions needed\n              for remediation.\n\n              We conducted our audit between December 2004 and March 2005 under\n              the authority of the Inspector General Act of 1978, as amended, and\n              according to generally accepted government auditing standards. Major\n              OIG contributors to the audit are identified in Appendix E.\n\n              The principal OIG points of contact for the audit are Frank Deffer,\n              Assistant Inspector General, Office of Information Technology at\n              (202) 254-4100 and Edward G. Coleman, Director, Information Security\n              Audits Division at (202) 254-5444.\n                     Improved Security Required for DHS Networks\n\n                                       Page 10\n\x0cAppendix B\nManagement Response To Draft Report\n\n\n\n\n       Improved Security Required for DHS Networks\n\n                         Page 11\n\x0cAppendix B\nManagement Response To Draft Report\n\n\n\n\n       Improved Security Required for DHS Networks\n\n                         Page 12\n\x0c                                           Appendix C\n                                           Vulnerabilities Detected by Component\n\n\n\n\n                                                   Vulnerabilities Detected By Component\n\n\n                                     700\n                                     600\n           Devices/Vulnerabilities\n\n\n\n                                     500\n                                     400\n                 Number of\n\n\n\n\n                                     300                                                            Devices\n                                     200                                                            Tested\n                                     100\n                                                                                                    High\n                                       0                                                            Vulnerability\n                                            CBP           TSA         Coast        Secret\n                                                                      Guard        Service          Medium\n                                                           Component                                Vulnerability\n\n\n\n\n      Component                        Devices Tested 1        High Vulnerability             Medium Vulnerability\n\n          CBP                                368                       456                            450\n\n          TSA                                117                        24                            11\n\n    Secret Service                            73                        96                            112\n\n     Coast Guard                             412                       145                            601\n\n         Total                               970                       721                           1174\n\n1\n    Devices tested include servers, workstations, switches, and network printers.\n\n\n\n\n                                                    Improved Security Required for DHS Networks\n\n                                                                      Page 13\n\x0c                     Appendix D\n                     NIST\xe2\x80\x99s Recommended Testing Schedule\n\n\n\n\n                   Frequency For           Frequency For\n  Test Type                                                                       Benefit\n                  Critical Systems       Non-Critical Systems\n                                                                      Enumerates the network structure\n                                                                      and determines the set of active\n                                                                      hosts and associated software\nNetwork            Continuously to                                    Identifies unauthorized hosts\n                                             Semi-Annually\nScanning             Quarterly                                        connected to a network\n                                                                      Identifies open ports\n                                                                      Identifies unauthorized services\n                                                                      Enumerates the network structure\n                                                                      and determines the set of active\n                                                                      hosts and associated software\n                     Quarterly or                                     Identifies a target set of computers\n                  bi-monthly (more                                    to focus vulnerability analysis\nVulnerability   often for certain high                                Identifies potential vulnerabilities on\n                                             Semi-Annually\nScanning        risk systems), when                                   the target set\n                   the vulnerability                                  Validates that operating systems\n                database is updated                                   and major applications are up-to-\n                                                                      date with security patches and\n                                                                      software versions\n                                                                      Determines how vulnerable an\n                                                                      organization's network is to\n                                                                      penetration and the level of\n                                                                      damage that can be incurred\nPenetration                                                           Tests IT staff's response to\n                      Annually                 Annually               perceived security incidents as well\nTesting\n                                                                      as their knowledge and\n                                                                      implementation of the\n                                                                      organization's security policy and\n                                                                      system\xe2\x80\x99s security requirements\n                                                                      Verifies that the policy is effective in\n                Continuously to same                                  producing passwords that are more\n                                          Same frequency as           or less difficult to break\nPassword           frequency as\n                                          password expiration         Verifies that users select\nAnalysis        password expiration\n                                                policy                passwords that are compliant with\n                       policy\n                                                                      the organization's security policy\n\n                   Daily for critical\n                                                                      Validates that the system is\nLog Review         systems (e.g.,               Weekly\n                                                                      operating according to policies\n                      firewalls)\n                                                                      Detects and deletes viruses before\nVirus                                                                 successful installation on the\n                Weekly or as required    Weekly or as required\nDetection                                                             system\n                                                                      Detects unauthorized wireless\n                   Continuously to                                    access points and prevents\nWar Driving                                  Semi-annually\n                      weekly                                          unauthorized access to a protected\n                                                                      network\n\n\n\n\n                               Improved Security Required for DHS Networks\n\n                                                 Page 14\n\x0cAppendix E\nMajor Contributors to this Report\n\n\n\n\nInformation Security Audits Division\n\nEdward G. Coleman, Director\nJeff Arman, Audit Manager\nChiu-Tong Tsang, Audit Team Leader\nBenita Holliman, Auditor\nEvan Portelos, Associate\nAnthony Nicholson, Referencer\n\nAdvanced Technology Division\n\nJim Lantzy, Director\nChris Hablas, Senior Security Engineer\n\n\n\n\n        Improved Security Required for DHS Networks\n\n                           Page 15\n\x0cAppendix F\nReport Distribution\n\n\n\n\nDepartment of Homeland Security\n\nSecretary\nDeputy Secretary\nChief of Staff\nExecutive Secretary\nGeneral Counsel\nManagement, Under Secretary\nChief Security Officer\nChief Information Officer\nChief Information Security Officer\nPublic Affairs\nLegislative Affairs\nDirector, Departmental GAO/OIG Liaison Office\nDirector, Compliance and Oversight Program\nChief Information Officer Audit Liaison\n\nOffice of Management and Budget\n\nChief, Homeland Security Branch\nDHS OIG Budget Examiner\n\nCongress\n\nCongressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n        Improved Security Required for DHS Networks\n\n                          Page 16\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to DHS Office of\nInspector General/MAIL STOP 2600, Attention: Office of Investigations \xe2\x80\x93\nHotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528; fax\nthe complaint to (202) 254-4292; or email DHSOIGHOTLINE@dhs.gov. The\nOIG seeks to protect the identity of each writer and caller.\n\x0c"